Sun Access Manager (OpenSSO) Integration

Description/Features

This extension could could help in integration Atlassian Jira with Sun Access Manager (OpenSSO) product. That kind solution could be used n organization there Sun Access Manager used before or they want to migrate on OpenSSO product.
Atlassian made a lot efforts for integrating Jira with external user management services but right now only one solution could fully integrates with Jira - it is Crowd. For creating this plugin I used documentation how to integrate Jira with Crowd and sources from osuser and propertyset product.

In this text I'm using two interchangeable terms - Sun Access Manager and OpenSSO. For this case the difference between them does not matter.

Here place to get started - http://www.sun.com/software/products/access_mgr/index.jsp
or with OpenSSO - https://opensso.dev.java.net/

Installation

1. First of all you have to generate OpenSSO SDK configuration file. If you have access to OpenSSO deployment folder then you could run file setup.sh from folder <deploy folder>/sdk, answer on some questions and you will get file AMClient.properties. You must rename it to AMConfig.properties and put it into folder WEB-INF/classes inside exploded Jira war.
   If you don't have access to OpenSSO installation then you could take file AMConfig.properties from distribution. But you must manually change some values inside it:

   com.iplanet.am.naming.url	Must be url to you OpenSSO server
   com.sun.identity.agents.app.username	Login for administrator or user who have rights for browsing users
   com.iplanet.am.service.password	Password for administrator or user who have rights for browsing users

   And also copy it into folder WEB-INF/classes inside exploded Jira war.

2. You have to copy integration libraries into exploded Jira war file. There are two ways to install plugin:
   1. (Preferred way) If you want to use standard SDK from Sun Access Manager 7.1u1 then copy these files:

      File	Folder inside Jira war (JIRA/atlassian-jira/)
      opensso-jira-integration-1.1-jar-with-dependencies.jar	WEB-INF/lib

   2. If you want to use your own client SDK then copy these files:

      File	Folder inside Jira war (JIRA/atlassian-jira/)
      opensso-integration-1.1.jar	WEB-INF/lib
      seraph-provider-1.0.0.jar	WEB-INF/lib
      your opensso-sdk.jar	WEB-INF/lib

3. You need to create opensso.properties inside JIRA/atlassian-jira/WEB-INF/classes. Content of this file must be like:

   # Realm is used to specify OpenSSO realm for authentification. If not specified then used default realm.
   #realm =
   
   # Default group for all Jira users. If specified when users only from this group will be used in all user pickers and user searches.
   # If it not specified then all users from the realm will be used.
   #default.group = jira-users
   

   It is simple properties file.

Configuration

There are three ways to integrate OpenSSO with Jira:

1. You could use OpenSSO only for storing user credentials and making authentication via standard Jira dialog. You can skip Step #1
2. You could use OpenSSO only for authenticating users and storing all credentials inside Jira database. You can skip Step #2
3. You could use OpenSSO for authentication and for storing user credentials. You don't skip anything

Step 1

1. Edit the JIRA config file JIRA/atlassian-jira/WEB-INF/classes/osuser.xml. Comment out any existing authentication providers and uncomment/insert the OpenSSO providers:

   <!-- This is where JIRA's credentials checking can be configured. For instance, see
   http://www.atlassian.com/software/jira/docs/latest/ldap.html -->
   <opensymphony-user>
     <authenticator class="com.opensymphony.user.authenticator.SmartAuthenticator" />
   
     <provider class="com.sun.identity.integration.osuser.OpenSSOCredentialsProvider"/>
     <provider class="com.sun.identity.integration.osuser.OpenSSOAccessProvider"/>
     <provider class="com.sun.identity.integration.osuser.OpenSSOProfileProvider"/>
   
   <!--
     <provider class="com.atlassian.core.ofbiz.osuser.CoreOFBizCredentialsProvider">
       <property name="exclusive-access">true</property>
     </provider>
   
     <provider class="com.opensymphony.user.provider.ofbiz.OFBizProfileProvider">
       <property name="exclusive-access">true</property>
     </provider>
   
     <provider class="com.opensymphony.user.provider.ofbiz.OFBizAccessProvider">
       <property name="exclusive-access">true</property>
     </provider>
   -->
   
   </opensymphony-user>
   

2. Edit JIRA/atlassian-jira/WEB-INF/classes/propertyset.xml. Add the following <propertyset> at the end of the file as the last <propertyset>:

   <propertyset name="opensso" class="com.sun.identity.integration.osuser.OpenSSOPropertySet"/>
   

Step 2

1. Edit JIRA/atlassian-jira/WEB-INF/classes/seraph-config.xml. Change the authenticator node to this one:

   <authenticator class="com.sun.identity.provider.seraph.OpenSsoAuthenticator"/>
   

2. Edit these values in JIRA/atlassian-jira/WEB-INF/classes/seraph-config.xml:

   <param-name>login.url</param-name>
   <param-value>https://YOUR_SSO_SERVER/sso/UI/Login?goto=${originalurl}</param-value>
   
   <param-name>link.login.url</param-name>
   <param-value>https://YOUR_SSO_SERVER/sso/UI/Login?goto=${originalurl}</param-value>
   
   <param-name>logout.url</param-name>
   <param-value>https://YOUR_SSO_SERVER/sso/UI/Logout</param-value>
   

3. Now you will need to do one of two things:
   1. If you have a public JIRA, you're done.
   2. If you have a private JIRA and always to be redirected to SSO - see no login form/links - add to JIRA/atlassian-jira/WEB-INF/classes/seraph-paths.xml:

      <path name="user">
        <url-pattern>/*</url-pattern>
        <role-name>user</role-name>
      </path>
      

And that's all. But be aware, user at OpenSSO must be at least in group jira-user to login into Jira.